I am working on typing up some notes for the Wiki on configuring this for PIX, but I finally got mine working late last week. The trick is that you do NOT need to install syslog on your OSSEC server. If you do install a syslog service, you need to configure the device to monitor with OSSEC to use a port other than 514/UDP. You also need to specify the port configuration for this alternate port in your ossec.conf file using the <port> directive under the <remote> heading for syslog. If you do not do this and you install syslog-ng, you will note in your ossec.log file that the ossec-remoted service is unable to bind to port 514/UDP because another service is already listening on that port.
Hope this helps. Detailed isntructions are coming soon. -----Original Message----- From: [email protected] on behalf of Forrest Aldrich Sent: Sat 9/16/2006 9:06 AM To: [email protected] Subject: [ossec-list] syslog logging I have syslog configured on my OSSEC server and agent. But I don't see any syslog messages from ossec in any of the logs. My syslog.conf has these: *.err;kern.warning;auth.notice;mail.crit /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages daemon.alert /var/log/alert.log security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog cron.* /var/log/cron This is pretty much the stock values from FreeBSD 6.1. Things are getting logged into the various ossec logs themselves (under /var/ossec). Once I determine my config is correct, I want to start shipping those syslog messages over the net to another server... I may end up using syslog-ng at some point. Thanks. This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.
<<winmail.dat>>
